Re: Heroku early upgrade is raising serious questions

On Apr 2, 2013, at 6:52 PM, Joshua D. Drake wrote:

> On 04/02/2013 03:40 PM, Josh Berkus wrote:
>
>>> In other words, we are sending a terrible message to our users. I
>>> understand that this bug cannot be discussed in public but the Heroku
>>> upgrade is public and therefore the PostgreSQL community needs to come
>>> up with an explanation to make things clear and avoid misunderstandings
>>> and frustration.
>>
>> I don't think this is as big of an issue as you seem to. I do think we
>> should have some messaging around this, but I don't agree that it should
>> happen before Thursday, when we will be doing PR around the security
>> update anyway.
>>
>> I'm also happy that we're getting all this press, because it means
>> people will actually apply the darned updates.
>
> I think the overriding point of concern here is that there is an impression that somehow Heroku got special access to the fix before anyone else. Of course this isn't true, but our communication as a project has been sorely lacking this time around and this has caused some confusion about what is actually going on.

+1 - with a more outside perspective on the overall issue, I do have to say that I'm okay to any entity operating "critical infrastructure" or the like having access to a critical security patch before the source is made available. I think to reiterate what JD said, we should just communicate that better in the future.